5

I am trying to publish a signed application, but when downloading it through internet, gatekeeper complains:

Furthermore, the help page says that the app has been tampered with:

Which is actually not true, here is my signing/packaging procedure:

codesign --deep --force --verify -s "Developer ID Application: Nanolive SA (GMLD8K8WH3)" Steve/Steve.app
hdiutil create -volname Steve -srcfolder Steve -ov -format UDZO Steve.dmg
codesign -s "Developer ID Application: Nanolive SA (GMLD8K8WH3)" Steve.dmg

The whole procedure works without a problem, and as you can see, I don't change the package between the signature and the creation of the dmg.

I went through this whole document and I think everything is correct: https://developer.apple.com/library/archive/technotes/tn2206/_index.html

Furthermore, I went through everything in the Checking Gatekeeper Conformance section:

Checking the dmg:

$ spctl -a -t open --context context:primary-signature -v Steve.dmg
Steve.dmg: accepted
source=Developer ID

Using codesign:

$ codesign --verify --deep --strict --verbose=2 Steve.app
--prepared:/Volumes/Steve/Steve.app/Contents/MacOS/ffmpeg
--validated:/Volumes/Steve/Steve.app/Contents/MacOS/ffmpeg

<snip a lot of validated libs>

--prepared:/Volumes/Steve/Steve.app/Contents/Frameworks/libvtkRenderingAnnotation-7.1.1.dylib
--validated:/Volumes/Steve/Steve.app/Contents/Frameworks/libvtkRenderingAnnotation-7.1.1.dylib
Steve.app: valid on disk
Steve.app: satisfies its Designated Requirement

using the check-signature tool:

$ /Volumes/Signature\ Check/check-signature Steve.app
(c) 2014 Apple Inc.  All rights reserved.
YES
$ /Volumes/Signature\ Check/check-signature Steve.app/Contents/Frameworks/*
(c) 2014 Apple Inc.  All rights reserved.
Steve.app/Contents/Frameworks/QtConcurrent.framework: YES

<snip a lot of YES>

Steve.app/Contents/Frameworks/qwt: YES

And lastly using spctl:

spctl -a -t exec -vv Steve.app
Steve.app: accepted
source=Developer ID
origin=Developer ID Application: Nanolive SA (GMLD8K8WH3)

The command line tells me everything is 100% correct, but I still can't launch the app from the user interface because I'm missing something, somewhere, that the command line won't tell me.

Please note that when I bypass the quarantine using the command line, the app launches properly, which implies that I don't have any missing library as far as I'm aware.

The build server runs OSX High Sierra 10.13.6

Thank you for your time and help!

Paul Habfast
  • 81
  • 1
    If you go to Finder and then Applicstions, find your app and right-click it, then select Open, it will give you another button to let you bypass Gatekeeper. Have you tried that to see if the app can open at all? – Jesse P. Oct 09 '18 at 13:47
  • Yes, it works fine if I do that. – Paul Habfast Oct 09 '18 at 14:40
  • Cool. So, at least you know it works and is just a cert issue. – Jesse P. Oct 09 '18 at 14:51
  • Note that https://developer.apple.com/library/archive/technotes/tn2206/_index.html is for 10.11 says look in Aplle Developer for up to date docs...... Current doc might be this one https://help.apple.com/xcode/mac/current/#/dev033e997ca – mmmmmm Oct 10 '18 at 00:14

1 Answers1

3

An rpath Problem

I was able to solve the issue thanks to some external help.

When opening the Console application, I was seeing this message, which comes from the XProtectService, which is apparently the real reference in terms of GateKeeper

default    11:00:31.445713 +0200    XprotectService    File /Volumes/Steve 2/Steve.app/Contents/MacOS/Steve failed on rPathCmd /Users/example/tmp/buildSteve/QtConcurrent.framework/Versions/5/QtConcurrent

Which means that the issue was actually some bad rpath. The rpath is used to find and load frameworks needed by an application.

I wrote a python script to recursively fix the rpath, and now it works.

The script changes the executable's rpath using Apple's install_name_tool. This is not something user's should ever need to do and is exclusively something for an application's developer to fix before deployment.

Graham Miln
  • 43,776
Paul Habfast
  • 81
  • Considering the entire solution seems to be the perl script I would suggest adding it to the answer :) – user7886229 Oct 22 '18 at 11:25
  • Please, share the python script with the fix, or explain it in further detail. Right now this is just a "Yay, I solved the problem" type of answer, doesn't really help without more information. – Ludvig A. Norin Oct 23 '18 at 12:10
  • Actually the problem looks like a mounting disk issue. Your question calls the Value Steve and the answer Steve 2 This is because at some time the disk unmounted incorrectly and left a directory around so the next mount created a new directory and thus chnage the path name – mmmmmm Oct 24 '18 at 14:48
  • It's not a mounting disk issue: one you have your app ready to be packaged, you turn it into a dmg file using hdiutil, and you have to give it a name (in this case, Steve. Once you open the package, on a different computer, the first mounted dmg gets mounted to /Volumes/Steve/, and then the second to /Volumes/Steve 2/ and so on. It's just the standard way mounting dmgs works on macs. – Paul Habfast Oct 25 '18 at 06:44